When OAuth password verification fails, return 401 instead of redirect (#5111)
Call to warden.authenticate! in resource_owner_from_credentials would make the request redirect to sign-in path, which is a bad response for apps. Now bad credentials just return nil, which leads to HTTP 401 from Doorkeeper. Also, accounts with enabled 2FA cannot be logged into this way.gh/stable
parent
901fc48aae
commit
db3ed498b0
|
@ -7,15 +7,14 @@ Doorkeeper.configure do
|
||||||
current_user || redirect_to(new_user_session_url)
|
current_user || redirect_to(new_user_session_url)
|
||||||
end
|
end
|
||||||
|
|
||||||
resource_owner_from_credentials do |routes|
|
resource_owner_from_credentials do |_routes|
|
||||||
request.params[:user] = { email: request.params[:username], password: request.params[:password] }
|
user = User.find_by(email: request.params[:username])
|
||||||
request.env["devise.allow_params_authentication"] = true
|
user if !user&.otp_required_for_login? && user&.valid_password?(request.params[:password])
|
||||||
request.env["warden"].authenticate!(scope: :user)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
# If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
|
# If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
|
||||||
admin_authenticator do
|
admin_authenticator do
|
||||||
(current_user && current_user.admin?) || redirect_to(new_user_session_url)
|
current_user&.admin? || redirect_to(new_user_session_url)
|
||||||
end
|
end
|
||||||
|
|
||||||
# Authorization Code expiration time (default 10 minutes).
|
# Authorization Code expiration time (default 10 minutes).
|
||||||
|
|
Reference in New Issue